Windows: net 관련 commands

Windows 10/11 에서 가끔 사용하는 net 명령을 정리했다.

interface 명령으로 포트 포워드

  • 포트 포워드: netsh interface

Port forward 보기

1
2
3
4
5
6
7
> netsh interface portproxy show v4tov4

Listen on ipv4: Connect to ipv4:

Address Port Address Port
--------------- ---------- --------------- ----------
0.0.0.0 2020 localhost 2020

Port 5000을 내부 IP 192.168.0.10의 포트 5555번으로 포워딩

1
> netsh interface portproxy add v4tov4 listenport=5000 listenaddress=0.0.0.0 connectport=5555 connectaddress=192.**168**.0.10

wsl 쪽 호스트로 Port 5000을 내부포트 5555번으로 포워딩

1
> netsh interface portproxy add v4tov4 listenport=5000 listenaddress=0.0.0.0 connectport=5555 connectaddress=(wsl hostname -I)

포트 포워드 삭제

1
netsh interface portproxy delete v4tov4 listenport=5000 listenaddress=0.0.0.0

방화벽

https://learn.microsoft.com/ko-kr/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell

  • 방화벽 설정 켜기/끄기: netsh advfirewall set currentprofile state on/off
  • 방화벽 프로필 설정: netsh advfirewall show profile 또는 netsh advfirewall set currentprofile
  • 방화벽 규칙 관리: netsh advfirewall rule add/show/delete
  • 방화벽 설정 보기: netsh advfirewall show allprofile

모든 방화벽 프로파일 보기

1
> netsh advfirewall show allprofile 

방화벽에 TCP 5000 포트를 허용

1
> netsh advfirewall firewall add rule name="TCP/5000" protocol=TCP dir=in localport=5555 action=allow

TCP/5000 포트의 방화벽 보기

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
> netsh advfirewall firewall show rule name="TCP/5000"

Rule Name: TCP/5000
----------------------------------------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: 5000
RemotePort: Any
Edge traversal: No
Action: Allow
Ok.

포트 포워드 삭제

1
2
3
4
5
# 포트 포워드 삭제
netsh interface portproxy delete v4tov4 listenport=5000 listenaddress=0.0.0.0

# 방화벽 삭제
netsh advfirewall firewall delete rule name="TCP/5000"

openSUSE: firewalld

firewalld 를 이용해서 방화벽을 구성해 보자.

  • RedHat, Ubuntu, OpenSUSE LEAP 15.0 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.

firewalld

firewalld 는 ….

firewalld는 ufw 처럼 iptables 을 구성할 수 있다.

[그림. Firewall Stack (redhat.com)]

네트워크를 지역 관리가 가능해서 다른 네트워크, 지역에 따라 다른 규칙으로 구성해서 사용할 수 있다.
For example “Home” and “Office” where all communications with local machines are allowed, and “Public Wi-Fi” where no communication with the same subnet would be allowed.

https://www.ctrl.blog/entry/ufw-vs-firewalld

firewalld 설치

OpenSUSE LEAP 15.0, RedHat, Ubuntu 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.

1
$ sudo apt install firewalld

Start firewalld

To start firewalld, enter the following command as root:

1
systemctl start firewalld

root 사용자로 시작한다.

1
2
sudo systemctl enable firewalld
sudo reboot

For more information about the service status, use the systemctl status sub-command:

1
2
3
4
5
6
sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 1970-01-01 09:01:48 KST; 48 years 6 months ago

sudo firewall-cmd --state

Stop firewalld

To stop firewalld, enter the following command as root:

1
systemctl stop firewalld

To prevent firewalld from starting automatically at system start, enter the following command as root:

1
systemctl disable firewalld

To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, enter the following command as root:

1
systemctl mask firewalld

사용해 보기

firewalld 는 명령라인 firewall-cmd 와 GUI로 firewall-config 명령을 지원한다.

Zone 설정

Get a list of all supported zones

1
firewall-cmd --get-zones

List all zones with the enabled features.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ firewall-cmd --list-all-zones
...

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

기본으로 제공하는 Zone

  • drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
  • block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
  • public: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
  • work
    For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • home
    For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • internal
    For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
  • trusted
    All network connections are accepted.

Zone

1
2
sudo firewall-cmd --get-default-zone
public

서비스

This command prints a space separated list.

Get a list of all supported services

1
$ firewall-cmd --get-services

This command prints a space separated list.

Get a list of all supported icmptypes

1
firewall-cmd --get-icmptypes

서비스를 제거하려면

1
2
3
4
# firewall-cmd --zone=public --remove-service=http
success
root@odroidc2:/home/qkboo# firewall-cmd --zone=public --remove-service=https
success

Http, Ssh 방화벽 활성화

http, https 를 공개 서비스를 지원하는 기본 존인 public에 추가한다.

1
2
3
sudo firewall-cmd --add-service=ssh
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https

sudo firewall-cmd –zone=public –add-service=http –permanent

방화벽을 갱신한다

1
2
firewall-cmd --reload
firewall-cmd --state

혹은 zone을 지정해 추가한다.

1
2
3
4
sudo firewall-cmd --zone=web --add-service=ssh
sudo firewall-cmd --zone=web --add-service=http
sudo firewall-cmd --zone=web --add-service=https
sudo firewall-cmd --zone=web --list-all

Likewise, we can add the DNS service to our “privateDNS” zone:

1
2
sudo firewall-cmd --zone=privateDNS --add-service=dns
sudo firewall-cmd --zone=privateDNS --list-all

Zone 에 구성한 서비스 등은 런타임 혹은 완전히 방화벽에 구성할 수 있다.

To change settings in both modes, you can use two methods:
Change runtime settings and then make them permanent as follows:

1
2
firewall-cmd <other options>
firewall-cmd --runtime-to-permanent

Set permanent settings and reload the settings into runtime mode:

1
2
firewall-cmd --permanent <other options>
firewall-cmd --reload

모든 구성 내용 확인:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

특정 zone 에 대한 내역을 출력한다:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

참조

https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/

FirewallD

Firewalld configuration and usage

Getting Started `firewalld`

RedHat, CentOS, Fedora 배포본 등에서 표준 방화벽 인터페이스로 제공되는 최신 FirewallD 사용을 시작해 보자. firewalld 패키지 설치는 각 배포본의 방법으로 설치하면 된다.

여기서는 OpenSUSE, Armbian 배포본을 설치한 시스템에서 firewalld 방화벽을 구성하고 설정하는 과정을 요약 정리했다.

자세히 보기